12.3 Unix RPC Services Countermeasures

Don't run rexd,
rusersd, or rwalld RPC
services, because they are of minimal use and provide attackers with
both useful information and direct access to your hosts.

In high-security environments, don't offer any RPC
services to the public Internet. Due to the complexity of these
services, it is highly likely that zero-day exploit scripts will be
available to attackers before patch information is released.

To minimize the risk of internal or trusted attacks against necessary
RPC services (such as NFS components, including
statd, lockd, and
mountd), install the latest vendor security
patches.

Aggressively filter egress traffic, where possible, to ensure that
even if an attack against an RPC service is successful, a
connect-back shell can't be spawned to the attacker.